Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 23395ce

Browse files
vucalurgkalpak
authored andcommitted
docs($http): reword the XSRF attack overview
Previous version emphasised "gaining user's private data". While this perfectly describes JSON vulnerability (which is based on XSRF), data theft suits XSS more. Pure XSRF is more about performing requests that have side effects. Closes #13901
1 parent c81c9e7 commit 23395ce

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

src/ng/http.js

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -749,13 +749,13 @@ function $HttpProvider() {
749749
*
750750
* ### Cross Site Request Forgery (XSRF) Protection
751751
*
752-
* [XSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) is a technique by which
753-
* an unauthorized site can gain your user's private data. Angular provides a mechanism
754-
* to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie
755-
* (by default, `XSRF-TOKEN`) and sets it as an HTTP header (`X-XSRF-TOKEN`). Since only
756-
* JavaScript that runs on your domain could read the cookie, your server can be assured that
757-
* the XHR came from JavaScript running on your domain. The header will not be set for
758-
* cross-domain requests.
752+
* [XSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by
753+
* which the attacker can trick an authenticated user into unknowingly executing actions on your
754+
* website. Angular provides a mechanism to counter XSRF. When performing XHR requests, the
755+
* $http service reads a token from a cookie (by default, `XSRF-TOKEN`) and sets it as an HTTP
756+
* header (`X-XSRF-TOKEN`). Since only JavaScript that runs on your domain could read the
757+
* cookie, your server can be assured that the XHR came from JavaScript running on your domain.
758+
* The header will not be set for cross-domain requests.
759759
*
760760
* To take advantage of this, your server needs to set a token in a JavaScript readable session
761761
* cookie called `XSRF-TOKEN` on the first HTTP GET request. On subsequent XHR requests the

0 commit comments

Comments
 (0)